This is to announce oath-toolkit-2.6.13, a stable release. OATH Toolkit provide components to build one-time password authentication systems. It contains shared C libraries, command line tools and a PAM module. Supported technologies include the event-based HOTP algorithm (RFC 4226), the time-based TOTP algorithm (RFC 6238), and Portable Symmetric Key Container (PSKC, RFC 6030) to manage secret key data. OATH stands for Open AuTHentication, which is the organization that specify the algorithms.
The following components are included: * liboath: A shared and static C library for OATH handling. * oathtool: A command line tool for generating and validating OTPs. * pam_oath: A PAM module for pluggable login authentication for OATH. * libpskc: A shared and static C library for PSKC handling. * pskctool: A command line tool for manipulating PSKC data. The project web pages are available at: https://oath-toolkit.codeberg.page/ https://codeberg.org/oath-toolkit/oath-toolkit Documentation for the command line tools oathtool and pskctool: https://oath-toolkit.codeberg.page/oathtool.1.html https://oath-toolkit.codeberg.page/pskctool.1.html Tutorial on PSKC: https://oath-toolkit.codeberg.page/libpskc-api/pskc-tutorial.html Manual for PAM module: https://oath-toolkit.codeberg.page/pam_oath.html Liboath Manual: https://oath-toolkit.codeberg.page/liboath-api/liboath-oath.h.html Libpskc Manual https://oath-toolkit.codeberg.page/libpskc-api/pskc-reference.html General information on contributing: https://oath-toolkit.codeberg.page/contrib.html GitLab Pipeline: https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines Code coverage charts: https://oath-toolkit.gitlab.io/oath-toolkit/coverage/ Coverity report: https://scan.coverity.com/projects/oath-toolkit If you need help to use the OATH Toolkit, or want to help others, you are invited to join our oath-toolkit-help mailing list, see: https://lists.nongnu.org/mailman/listinfo/oath-toolkit-help There have been 82 commits by 2 people in the 43 weeks since 2.6.12. See the NEWS below for a brief summary. Thanks to everyone who has contributed! The following people contributed changes to this release: Simon Josefsson (81) bob (1) Here is the release page: https://codeberg.org/oath-toolkit/oath-toolkit/releases/tag/v2.6.13 Here are the compressed sources and a GPG detached signature: https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.13/oath-toolkit-2.6.13.tar.gz https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.13/oath-toolkit-2.6.13.tar.gz.sig Here is a signed git-archive style minimal source code archive: https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.13/oath-toolkit-v2.6.13-src.tar.gz https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.13/oath-toolkit-v2.6.13-src.tar.gz.sig Here are Sigsum Proofs: https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.13/oath-toolkit-2.6.13.tar.gz.proof https://codeberg.org/oath-toolkit/oath-toolkit/releases/download/v2.6.13/oath-toolkit-v2.6.13-src.tar.gz.proof Here are the SHA1 and SHA256 checksums: 62807099befb8141e429d3e38750772041ea9056 oath-toolkit-2.6.13.tar.gz W12C6aRFUgbST8vX7li/THk5ii5nmX2AvUWuknWGsYs= oath-toolkit-2.6.13.tar.gz 9b8af0fdcd4965e9e1a8f27754dd79604f279f5f oath-toolkit-v2.6.13-src.tar.gz KyHTVfqLVfD+XHXD9RkOuFd19UCTP/p6fXT6Xdw5eBs= oath-toolkit-v2.6.13-src.tar.gz Verify the base64 SHA256 checksum with cksum -a sha256 --check from coreutils-9.2 or OpenBSD's cksum since 2007. Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify oath-toolkit-2.6.13.tar.gz.sig The signature should match the fingerprint of the following key: pub ed25519 2019-03-20 [SC] B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE uid Simon Josefsson <[email protected]> If that command fails because you don't have the required public key, or that public key has expired, try the following commands to retrieve or refresh it, and then rerun the 'gpg --verify' command. gpg --locate-external-key [email protected] gpg --recv-keys 51722B08FE4745A2 Use the .proof files to verify the Sigsum proof. These files are like signatures but with extra transparency: you can cryptographically verify that every signature is logged in a public append-only log, so you can say with confidence what signatures exists. This makes hidden releases no longer deniable for the same public key. Releases are Sigsum-signed with the following public key: cat <<EOF > jas-sigsum-key.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE EOF Run a command like this to verify downloaded artifacts: wget -q -Otrust.txt https://oath-toolkit.codeberg.page/sigsum-policy-20250309.txt sigsum-verify -k jas-sigsum-key.pub -p trust.txt \ oath-toolkit-2.6.13.tar.gz.proof < oath-toolkit-2.6.13.tar.gz You may learn more about Sigsum concepts and find instructions how to download the tools here: https://www.sigsum.org/getting-started/ This release is based on the oath-toolkit git repository, available as git clone https://codeberg.org/oath-toolkit/oath-toolkit.git with commit d5f3379eee6288a41d325e1c1e7bc2645c9ffb1c tagged as v2.6.13. For a summary of changes and contributors, see: https://codeberg.org/oath-toolkit/oath-toolkit/commits/tag/v2.6.13 or run this command from a git-cloned oath-toolkit directory: git shortlog v2.6.12..v2.6.13 This release was bootstrapped with the following tools: Git 2.50.1 Gnulib 2025-07-15 e8cc0791e6bb0814cf4e88395c06d5e06655d8b5 Autoconf 2.71 Automake 1.16.5 Libtoolize 2.4.7 Make 4.4.1 Bison 3.8.2 Help2man 1.49.2 Gengetopt 2.23 Gtkdocize 1.34.0 Tar 1.34 Gzip 1.13 Guix 230ad0e3370e7a7a927d54dff33d2cee8b6300f9 NEWS * Noteworthy changes in release 2.6.13 (2025-07-29) [stable] ** liboath/libpskc: Fix _FORTIFY_SOURCE build problem and allow configuration. Some platforms (e.g., Ubuntu 24.10) set _FORTIFY_SOURCE in the default compiler settings, and this caused build failures since our code unconditionally #define'd _FORTIFY_SOURCE to 2. We now allow you to override the desired level by running, for example ./configure CPPFLAGS=-D_FORTIFY_SOURCE=3 or CPPFLAGS=-D_FORTIFY_SOURCE=0. ** liboath: Fix --with-openssl builds, and test for it in pipeline. Reported by Tomasz Kłoczko in <https://codeberg.org/oath-toolkit/oath-toolkit/issues/36>. ** Git hosting moved from gitlab.com to codeberg.org. The new URL is https://codeberg.org/oath-toolkit/oath-toolkit although the old GitLab project will continue to be used for pipelines: https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines ** Various build fixes including updated gnulib files. Gnulib files are no longer stored in git version control. As a consequence, gnulib is a required build dependency when building from git, see CONTRIBUTING.md. Happy hacking, Simon
signature.asc
Description: PGP signature
